Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Greylisting in 7.5 Beta 2 (Problems with Greylisting)
  •  
mastreck

Messages: 18
Karma: 3
Send a private message to this user
I love that this has been an added feature. However I am having some problems with it consistently working. When I first start up the mail server or restart it, it works for a couple of hours and then it starst having issues with connecting to the greylisting server at Kerio. There are no ports blocked on the server, so that is not the problem. Has anyone else been working with the greylisting? Again, if I restart Kerio or the server, it works for a little while.

Here is a sample of the warning logs:
[18/Jun/2012 09:39:34] Greylisting suspended for 13 minutes. While greylisting is suspended it is not applied to incoming messages.
[18/Jun/2012 09:57:32] Greylisting: unable to contact reputation service.
[18/Jun/2012 09:57:32] Greylisting suspended for 14 minutes. While greylisting is suspended it is not applied to incoming messages.
[18/Jun/2012 10:17:30] Greylisting: unable to contact reputation service.
[18/Jun/2012 10:17:30] Greylisting suspended for 13 minutes. While greylisting is suspended it is not applied to incoming messages.
[18/Jun/2012 10:32:52] Greylisting: unable to contact reputation service.
[18/Jun/2012 10:32:52] Greylisting suspended for 17 minutes. While greylisting is suspended it is not applied to incoming messages.
[18/Jun/2012 10:50:03] Greylisting: unable to contact reputation service.
[18/Jun/2012 10:50:03] Greylisting suspended for 17 minutes. While greylisting is suspended it is not applied to incoming messages.
[18/Jun/2012 11:15:40] Greylisting: unable to contact reputation service.
[18/Jun/2012 11:15:40] Greylisting suspended for 12 minutes. While greylisting is suspended it is not applied to incoming messages.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Can't answer your question, but I have another one for you: is there any available documentation or overview on the greylisting in the beta? I'm very curious about why the greylisting functionality has to contact a "reputation server" at Kerio in order to accept the triplet.
  •  
mastreck

Messages: 18
Karma: 3
Send a private message to this user
TorW wrote on Mon, 18 June 2012 20:37
Can't answer your question, but I have another one for you: is there any available documentation or overview on the greylisting in the beta? I'm very curious about why the greylisting functionality has to contact a "reputation server" at Kerio in order to accept the triplet.



It is in the Kerio Knowledge Base. Search for Greylisting and you will find it.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Ok, thanks. Based on the explanation in the KB and your log messages, I guess the reputation server is unstable (for whatever reason), you have tripped some kind of rate limiter or you have transient DNS problems. It's a beta after all.

Note that I'm only guessing here, and that there is probably an official beta feedback channel avaliable somewhere. At least I hope so.
  •  
Kedar

Messages: 1320
Karma: 48
Send a private message to this user
We are glad that you are interested in our beta versions. There is available betatesting program in this forum. If you're interested and you want to participate in Kerio Betatesting Program, please fill following entry survey http://www.surveygizmo.com/s3/786330/Kerio-Betatesting-progr am
  •  
freakinvibe

Messages: 1540
Karma: 62
Send a private message to this user
I don't find it a good idea that KC sends stuff to Kerio to do grey listing. All other Mail Servers I know are self-contained, i.e. they remember the triplets themselves and don't have to contact the vendors servers.

If Kerio has problems with its servers, grey listing will not work properly and produce lots of errors, as can be seen in this thread.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
mastreck wrote on Mon, 18 June 2012 19:25
When I first start up the mail server or restart it, it works for a couple of hours and then it starst having issues with connecting to the greylisting server at Kerio. There are no ports blocked on the server, so that is not the problem.


Our service is now running for 14 days without any glitch, so this problem must be on the path between your Kerio Connect server and the greylisting service.

Can you turn on "Network Connections and SSL" debug messages and test the connection with the "Test connection" button in the "Greylisting" tab of the Spam Filter settings?

The sequence of lines in the debug log I am interested in will start with

{conn} Looking up host reputation-service.kerio.com in DNS...

Thanks
--
Lukas Petrlik
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
freakinvibe wrote on Tue, 19 June 2012 03:11
I don't find it a good idea that KC sends stuff to Kerio to do grey listing. All other Mail Servers I know are self-contained, i.e. they remember the triplets themselves and don't have to contact the vendors servers.

If Kerio has problems with its servers, grey listing will not work properly and produce lots of errors, as can be seen in this thread.


On the other hand, the KB article states:

If the information is known to the greylisting server (the sender's IP address -- see step 3), the message is delivered.


"is known" includes mail sent to other people, not just you, so that can help cut down on delays.

and remember - it's beta Smile

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
mastreck

Messages: 18
Karma: 3
Send a private message to this user
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: testing connection to greylisting service.
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: allocated connection object in 0 ms.
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: connecting to reputation service (192.168.44.139:8045)...
[19/Jun/2012 10:18:13][3012423680] {conn} Connecting to 192.168.44.139:8045 via local interface 0.0.0.0 ...
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL handshake started: before/accept initialization
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:before/accept initialization
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 read client hello A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 write server hello A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 write certificate A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 write server done A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 flush data
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:error in SSLv3 read client certificate A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:error in SSLv3 read client certificate A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 read client key exchange A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 read finished A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 write change cipher spec A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 write finished A
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL_accept:SSLv3 flush data
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL handshake done: SSL negotiation finished successfully
[19/Jun/2012 10:18:13][2994319360] {conn} Established secure server connection from 66.232.79.136:33942 to 66.232.79.251:444 using TLSv1/SSLv3 with cipher AES128-SHA, id 0xc216420
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL3 alert read:warning:close notify
[19/Jun/2012 10:18:13][2994319360] {conn} SSL debug: id 0x1020e050 SSL3 alert write:warning:close notify
[19/Jun/2012 10:18:13][2994319360] {conn} Closing socket 150
[19/Jun/2012 10:18:14][2977812480] {conn} SSL debug: id 0xff0f8e0 SSL_accept:SSLv3 read finished A
[19/Jun/2012 10:18:14][2977812480] {conn} SSL debug: id 0xff0f8e0 SSL handshake done: SSL negotiation finished successfully
[19/Jun/2012 10:18:14][2977812480] {conn} Established secure server connection from 97.121.44.133:57526 to 66.232.79.251:4040 using TLSv1/SSLv3 with cipher AES256-SHA, id 0x6a40220
[19/Jun/2012 10:18:15][2977812480] {conn} SSL debug: id 0xff0f8e0 SSL3 alert read:warning:close notify
[19/Jun/2012 10:18:15][2977812480] {conn} SSL debug: id 0xff0f8e0 SSL3 alert write:warning:close notify
[19/Jun/2012 10:18:15][2977812480] {conn} Closing socket 162
[19/Jun/2012 10:18:18][3012423680] {conn} Connection to 192.168.44.139:8045 failed: (51) Network is unreachable
[19/Jun/2012 10:18:18][3012423680] {greylist} Greylisting: cannot connect to reputation service (192.168.44.139:8045).
[19/Jun/2012 10:18:18][3012423680] {greylist} Greylisting: unable to contact reputation service.
[19/Jun/2012 10:18:18][3012423680] {greylist} Greylisting: testing connection to greylisting service finished in 0 ms, result is CANNOT_CONNECT.
[19/Jun/2012 10:18:18][3012423680] {conn} SSL debug: id 0xb671200 SSL3 alert read:warning:close notify
[19/Jun/2012 10:18:18][3012423680] {conn} SSL debug: id 0xb671200 SSL3 alert write:warning:close notify
[19/Jun/2012 10:18:18][3012423680] {conn} Closing socket 116
[19/Jun/2012 10:18:24][3004436480] {conn} SSL debug: id 0xff40330 SSL3 alert read:warning:close notify
[19/Jun/2012 10:18:24][3004436480] {conn} SSL debug: id 0xff40330 SSL3 alert write:warning:close notify
[19/Jun/2012 10:18:24][3004436480] {conn} Closing socket 134
[19/Jun/2012 10:18:24][2999644160] {conn} SSL debug: id 0xff91e90 SSL3 alert read:warning:close notify
[19/Jun/2012 10:18:24][2999644160] {conn} SSL debug: id 0xff91e90 SSL3 alert write:warning:close notify
[19/Jun/2012 10:18:24][2999644160] {conn} Closing socket 131
[19/Jun/2012 10:18:25][3008696320] {conn} Connection timeout after 15000 ms (local=66.232.79.251:4040, remote=97.121.44.133:57523)
[19/Jun/2012 10:18:25][3008696320] {conn} SSL debug: id 0xcaa18c0 SSL3 alert write:warning:close notify
[19/Jun/2012 10:18:25][3008696320] {conn} Closing socket 120
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
mastreck wrote on Tue, 19 June 2012 18:19
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: testing connection to greylisting service.
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: allocated connection object in 0 ms.
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: connecting to reputation service (192.168.44.139:8045)...
[19/Jun/2012 10:18:13][3012423680] {conn} Connecting to 192.168.44.139:8045 via local interface 0.0.0.0 ...


That looks strange. This IP address (192.168.44.139) is private, i.e. it is not routable on the internet. Is this by any chance the IP for the host on which you're running VMWare with the beta KC?
  •  
mastreck

Messages: 18
Karma: 3
Send a private message to this user
TorW wrote on Wed, 20 June 2012 01:25
mastreck wrote on Tue, 19 June 2012 18:19
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: testing connection to greylisting service.
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: allocated connection object in 0 ms.
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: connecting to reputation service (192.168.44.139:8045)...
[19/Jun/2012 10:18:13][3012423680] {conn} Connecting to 192.168.44.139:8045 via local interface 0.0.0.0 ...


That looks strange. This IP address (192.168.44.139) is private, i.e. it is not routable on the internet. Is this by any chance the IP for the host on which you're running VMWare with the beta KC?



I thought that looked strange as well. No I am not running it on any VMware or virtual machine. It is run straight on Mac OS 10.7.4
  •  
mastreck

Messages: 18
Karma: 3
Send a private message to this user
This is what it looks like right after I restart Kerio and it work for about 20 minutes:

[19/Jun/2012 17:53:00][2969825280] {greylist} Greylisting: testing connection to greylisting service.
[19/Jun/2012 17:53:00][2969825280] {greylist} Greylisting: allocated connection object in 0 ms.
[19/Jun/2012 17:53:00][2969825280] {greylist} Greylisting: Kerio Connect sent "STATUS" over TLS.
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL handshake started: before/accept initialization
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:before/accept initialization
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:error in SSLv2/v3 read client hello A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 read client hello A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 write server hello A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 write certificate A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 write server done A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 flush data
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:error in SSLv3 read client certificate A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:error in SSLv3 read client certificate A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 read client key exchange A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 read finished A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 write change cipher spec A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 write finished A
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL_accept:SSLv3 flush data
[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL handshake done: SSL negotiation finished successfully
[19/Jun/2012 17:53:00][2968227840] {conn} Established secure server connection from 75.174.53.167:36806 to 66.232.79.251:443 using TLSv1/SSLv3 with cipher AES128-SHA, id 0x631fc20
[19/Jun/2012 17:53:00][2969825280] {greylist} Greylisting: service responded "230 Logged in" over TLS.
[19/Jun/2012 17:53:00][2969825280] {greylist} Greylisting: testing connection to greylisting service finished in 0 ms, result is SUCCESS.
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL handshake started: before/accept initialization
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL_accept:before/accept initialization
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL_accept:error in SSLv2/v3 read client hello A
[19/Jun/2012 17:53:01][2977280000] {conn} SSL debug: id 0xab80790 SSL handshake started: before/accept initialization
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xaa9bc10 SSL handshake started: before/accept initialization
[19/Jun/2012 17:53:01][2977280000] {conn} SSL debug: id 0xab80790 SSL_accept:before/accept initialization
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xaa9bc10 SSL_accept:before/accept initialization
[19/Jun/2012 17:53:01][2977280000] {conn} SSL debug: id 0xab80790 SSL_accept:error in SSLv2/v3 read client hello A
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xaa9bc10 SSL_accept:error in SSLv2/v3 read client hello A
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL_accept:SSLv3 read client hello A
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL_accept:SSLv3 write server hello A
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL_accept:SSLv3 write certificate A
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL_accept:SSLv3 write server done A
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL_accept:SSLv3 flush data
[19/Jun/2012 17:53:01][2976747520] {conn} SSL debug: id 0xab7f540 SSL_accept:error in SSLv3 read client certificate A
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xab7f540 SSL_accept:error in SSLv3 read client certificate A
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xaa9bc10 SSL_accept:SSLv3 read client hello A
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xaa9bc10 SSL_accept:SSLv3 write server hello A
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xaa9bc10 SSL_accept:SSLv3 write certificate A
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xaa9bc10 SSL_accept:SSLv3 write server done A
[19/Jun/2012 17:53:01][2977812480] {conn} SSL debug: id 0xaa9bc10 SSL_accept:SSLv3 flush data
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
mastreck wrote on Wed, 20 June 2012 01:55
This is what it looks like right after I restart Kerio and it work for about 20 minutes:

[19/Jun/2012 17:53:00][2968227840] {conn} SSL debug: id 0x8997fd0 SSL handshake done: SSL negotiation finished successfully
[19/Jun/2012 17:53:00][2968227840] {conn} Established secure server connection from 75.174.53.167:36806 to 66.232.79.251:443 using TLSv1/SSLv3 with cipher AES128-SHA, id 0x631fc20
[19/Jun/2012 17:53:00][2969825280] {greylist} Greylisting: service responded "230 Logged in" over TLS.
[19/Jun/2012 17:53:00][2969825280] {greylist} Greylisting: testing connection to greylisting service finished in 0 ms, result is SUCCESS.


The four lines above seems to be from two different connections. The IP address beginning with 66 is probably you (mail.foothills.org), and the IP address beginning with 75 is some kind of broadband client. The debug log does not appear to show the reputation server's IP address.

Is the IP address 192.168.44.139 known to you?
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
mastreck wrote on Tue, 19 June 2012 18:19
[19/Jun/2012 10:18:13][3012423680] {greylist} Greylisting: testing connection to greylisting service.


Thanks for your report. There was a configuration error in our greylisting service (beta) which is now fixed.

The fixed configuration will be retrieved when you restart Kerio Connect.

Best regards,
--
Lukas Petrlik
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
TorW wrote on Mon, 18 June 2012 14:37
I'm very curious about why the greylisting functionality has to contact a "reputation server" at Kerio in order to accept the triplet.


Me too. Perhaps Kerio is trying to avoid the effort/trouble of implementing a localized database system of some sort, though I can't imagine it would have been that tough. In any event, knowing that the greylisting is cloud based significantly reduces it's attractiveness to me.

Good is better than evil because it's nicer
--Mammy Yokum
Previous Topic: Migration form Apple Mail Server 10.6 to Kerio Connect
Next Topic: Calendar Sharing
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 09:24:17 CEST 2017

Total time taken to generate the page: 0.00580 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.